Electronic communication networks based on the Internet Protocol (IP) have become ubiquitous. Although the primary focus of the information technology (IT) industry over the last two decades has been to achieve “anytime, anywhere” IP network connectivity, that problem has, to a large extent, been solved. Individuals can now use a wide variety of devices connected to a combination of public and private networks to communicate with each other and use applications within and between private enterprises, government agencies, public spaces (such as coffee shops and airports), and even private residences. A corporate executive can now reliably send an email message wirelessly using a handheld device at a restaurant to a schoolteacher using a desktop computer connected to the Internet by a wired telephone line halfway around the world.
In other words, virtually any IP-enabled device today can communicate with any other IP-enabled device at any time. Advances in the resiliency, reliability, and speed of IP connections have been made possible by improvements to the traditional routers and switches that form the “connectivity plane” of IP networks. Such “IP connectivity” networks have propelled business productivity enormously the world over.
Because the problem of IP connectivity has largely been solved, the enterprise network industry now faces an important inflection point. Some IP networks today include not only switches and routers, but also a host of point solution appliances (sometimes called “bumps in the wire”) which have been added to the network over time in attempts to perform functions that the switches and routers themselves were not responsible for performing. In other cases, these additional functions have been “bolted on” to the switches and routers themselves. These additional control functions, whether installed as separate appliances or as “bolt-ons,” have been used, for example, to act as network access firewalls, to perform intrusion detection and prevention, and to enforce policy-based application bandwidth control. Although these control functions often work relatively well for their individual intended purposes, their introduction (whether in the form of point solution appliances or bolt-ons to switches and routers) has led to high-cost, difficult-to-manage network environments.
The problems addressed, however inadequately, by such added control functions are only growing in scope and complexity. One of the greatest strengths of IP networks—their openness—is now exposing enterprise networks to constant infrastructure and information security threats. These threats can lead to catastrophic business downtime and even legal liability for invasion of privacy.
Furthermore, although IP networks originally only carried data traffic, such networks are increasingly relied upon also to carry traffic for mission-critical business applications, voice, and video. Each of these kinds of traffic has its own performance requirements. Combining these multiple kinds of traffic into a single IP network is leading to application performance issues that the connectivity plane (e.g., switches and routers) was not designed to address. For example, conventional connectivity networks were not designed to provide the quality of service (QoS), authentication, encryption, and threat management needed for these new business-critical functions. As an example, conventional connectivity networks typically lack the ability to maintain the high QoS required by voice traffic in the face of bursts of data traffic on the same network.
Furthermore, the cost of network downtime has skyrocketed. When businesses relied on their IP networks only for data traffic, and when such data traffic was required for only a small portion of the business' activities, the cost of having an email server down for an hour was relatively low. Now that voice, data, video, application and other traffic are combined onto the same network, and now that an increasingly large percentage of business functions rely on such traffic, the cost of network downtime is significantly higher. In essence, when the network stops, the business stops, leading to lost productivity, lost revenue, and customer dissatisfaction.
Enterprise executives understand this reality. From a technical perspective, CIOs know that the current connectivity network cannot resolve security and application performance issues. In turn, from a financial perspective, CFOs are concerned that it will be too expensive to solve these problems by performing a “forklift upgrade”—replacing the entire connectivity plane with new hardware. Finally, from an overall business perspective, CEOs cannot tolerate network security downtime risk, and are demanding predictable, stable application performance.
Consider some of the problems of conventional connectivity networks in more detail. A bare IP network typically does not perform any kind of “access control”—controlling which users and devices can access the network. In general, access control policies define which traffic is allowed onto the network based on the identity of the user and/or device transmitting the traffic. One solution to this problem has been to use firewalls to establish a network “perimeter” defining which users and devices are “inside”—and therefore authorized to access the network—and which users and devices are “outside”—and therefore prohibited from accessing the network. The concept of a clear network perimeter made sense when all users accessed the network from fixed devices (such as desktop computers) that were physically located within and wired to the network. Now, however, users access the network from a variety of devices—including laptops, cell phones, and PDAs—using both wired and wireless connections, and from a variety of locations inside and outside the physical plant of the enterprise. As a result, the perimeter has blurred, thereby limiting the utility of firewalls and other systems which are premised on a clear inside-outside distinction.
A bare IP network also does not perform any kind of “attack control”—protecting the network against viruses, worms, and other malicious network activity. In general, attack control policies define criteria for identifying traffic as malicious, and the actions to be applied to such malicious traffic (such as excluding it from the network). Today's networks are constantly under attack, both by directed and non-directed attacks. Furthermore, the attacks continually evolve, often making yesterday's defenses obsolete. Moreover, network vulnerabilities often are discovered and exploited more quickly today than in the past, as a result of increased availability of turnkey attack tools that automatically search for and attack weak points in the network.
The typical cost of a successful attack is higher today than in the past because of the increased value of information stored on modern networks. The same use of the network to connect a larger number and wider variety of devices that leads to problems for traditional access control mechanisms has also spurred the use of the network to store increasingly high-value information. Anyone who has attempted to store copies of the same data on a desktop computer, laptop computer, PDA, and cell phone, and to synchronize that data across all of the devices, knows that storing data at the edge of the network can be inefficient. This has led to a movement of data back toward a centralized depository. Although such centralization can lead to increased efficiency, it also serves as a tempting lure for high-value attacks on the network.
Furthermore, a bare IP network does not perform any kind of “application control.”. In general, application control policies define how traffic within the network is handled, based on the application transmitting the traffic. Traditional routers and switches route packets without any knowledge of the applications transmitting or receiving those packets. Application control is critical, however, in the context of modern IP networks in which applications are consolidated into a single IP infrastructure, and in which mission-critical data applications and non-critical applications compete with each other for network bandwidth.
For example, the telephone network traditionally has been a physically separate network from the data network. As the telephone network converges with the data network, businesses gain tremendous advantages in both cost and the ability to deploy new voice services. But they do so at the risk of exposing telephony, an application of extremely high availability expectation, to the perils of the IP environment. As mentioned above, the result is that voice-over-IP (VoIP) tends to work well in a lightly-loaded customer network—until traffic surges or the network comes under attack. The challenge is to imbue telephony with the benefits of IP networks without sacrificing quality of service.
Unproductive network traffic has also increased due to the emergence of bandwidth-consuming peer-to-peer applications, such as BitTorrent, Kazaa, and Gnutella. Furthermore, as new devices connect to the network, bandwidth increases accordingly, as well as the probability of a malfunctioning device flooding the network with garbage traffic. Conventional connectivity networks, which do not distinguish between packets delivered by or transmitted to different applications, are unequipped to address these problems.